Russian Military Spy Software Is On Home Routers

Uploaded on 2018-08-22 in NEWS-Cybersecurity News, INTELLIGENCE-Hot Spots-Russia, FREE TO VIEW, TECHNOLOGY--Hackers

The Russian military is inside hundreds of thousands of routers owned by Americans and others around the world, a top U.S. cybersecurity official said on Friday. The presence of Russian malware on the routers, first revealed in May, could enable the Kremlin to steal individuals’ data or enlist their devices in a massive attack intended to disrupt global economic activity or target institutions.

On May 27, Justice Department officials asked Americans to reboot their routers to stop the attack. Afterwards, the world largely forgot about it. That’s a mistake, said Rob Joyce, senior advisor to the director of the National Security Agency and the former White House cybersecurity coordinator.

“The Russian malware is still there,” said Joyce.

On May 8, cybersecurity company Talos observed a spike in mostly Ukrainian victims of a new malware attack. Dubbed VPN Filter, the malware used code similar to the BlackEnergy tool that Russian forces have used (in modified form) to attack Ukrainian infrastructure. The U.S. intelligence community believes the culprits are the hackers known as APT 28 or Fancy Bear, Russian military operatives who were behind information attacks against the Democratic National Committee, State Department, and others. The new malware, if activated, could allow the Russian military to peer into the online activities of hundreds of thousands of people.

“The Cisco-Talos reports on the incident estimated hundreds of thousands of devices affected worldwide,” Joyce said.

Specifically, the May 23 report said, at least 500,000 victims in up to 54 countries.

The malware executes in three stages, according to the Talos report. The first stage is akin to a tick burrowing into a victim’s skin, to “dig in” with its teeth by changing the infected devices’ non-volatile persistent memory, the portion of the memory that persists even after the machine is turned off. During this phase, the malware also establishes links to any servers it finds.

Stages two and three are about receiving and executing the orders. These could include: stealing traffic data from the victim (via port 80), launching “man in the middle” attacks, using the router as a platform to attack other computers as part of a botnet, or overwriting the memory on the router to render it unusable.

The U.S. government effort to stop the attack “was effective at knocking down their command and control. But — and this is a ‘but’ we haven’t seen talked about that much — there was a persistent ‘stage one’ on all of those routers,” said Joyce. “If it was at a stage-two or stage-three implant, it knocked it back to one, which was power- and reboot-persistent. At that point, we couldn’t call back out via those two methods to re-establish command and control,” he told the crowd.

Bottom line: “It’s still on those routers and if you know the wake-up knock you can go in, control those routers, and put a stage two or three back on them… What do you think the odds are that the actors in Russia who put those down have the addresses of the places where the put the malware? I think it’s pretty high,” he said.

What’s needed now, Joyce said, is for government, industry, and cybersecurity professionals to find a way to straightforwardly tell individuals how to detect the presence of the malware on their routers and then to restore the device to its trustworthy state. The government won’t be able to do that for them “because, again, these are consumer devices…That’s the sort of thing we’re up against.”

Joyce served as the head of the NSA’s elite tailored access operations division. In effect, he was the official who presided over the NSA’s most sophisticated hacking research before joining the White House as cybersecurity coordinator. In April, the White House announced that Joyce would leave that job to return to the NSA, where he currently serves as an advisor to the director, Army Gen. Paul Nakasone, who also heads the military’s U.S. Cyber Command.

He used the majority of his Friday talk at DEFCON to focus on China, Russia, Iran, and North Korea and their malicious behavior online.

Like other cybersecurity professionals, he said that North Korea’s malicious targeting of financial institutions, particularly South Korean e-currency exchanges, was likely to continue. He also said that he expected to see probing of newly deployed missile defense radars and batteries in the region, such as Terminal High Altitude Area Defense, or THAAD, in South Korea.

Iranian hackers also pose a threat, Joyce said, saying that the demise of the Iran nuclear deal hinted at more attacks to come.

“When bilateral relations between Iran and Saudi Arabia decreased, we think that was a major factor in that January 2017 data deletion attacks in Saudi,” he said, referring to an incident where Iran state-backed hackers attacked 15 Saudi government and media targets with malware that was strikingly similar to the 2012 ‘Shamoon’ malware that Iran deployed against Saudi oil interests. “As we move to a point where the U.S. has just re-imposed sanctions on Iran, there’s a lot of focus on, ‘How are they going to respond?’”

Defense One:

You Might Also Read:

Can Russian Hackers Be Stopped?

« Why Some Computer Viruses Refuse To Die
UK Police Fail To Take Digital Advantage »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Virtustream

Virtustream

The Virtustream Enterprise Class Cloud provides a secure, highly available, Infrastructure as a Service (IaaS) to enterprises and government customers.

Splunk

Splunk

Splunk provide real-time Security Information & Event Management solutions for Enterprise Networks, Cloud and small-scale IT environments

Logscape

Logscape

Logscape provides a big data analytical tool for log file analysis and operational analytics.

Simula Research Laboratory

Simula Research Laboratory

Simula Research Laboratory carries out research in the fields of communication systems, scientific computing and software engineering.

GovCERT Austria

GovCERT Austria

GovCERT Austria is the Austrian Government Computer Emergency Response Team. Its constituency consists of Austria's public administration.

HCC Embedded

HCC Embedded

HCC’s mission is to ensure that data stored or communicated by an embedded IoT application is secure, safe and reliable.

StartupXseed Ventures

StartupXseed Ventures

StartupXseed Ventures is a smart capital provider for Deep Tech, B2B, Early Stage Startups. We support, NextGen Tech Entrepreneurs, who have potential to deliver the outsized growth.

Coveware

Coveware

Coveware helps businesses remediate ransomware. We help companies recover after files have been encrypted, and our analytic, monitoring and alerting tools help companies prevent ransomware incidents.

CYMOTIVE Technologies

CYMOTIVE Technologies

Combining Israeli cyber innovation with a century of German automotive engineering. CYMOTIVE operates under the assumption that connectivity is a game changer for the automotive industry.

Bytes Technology Group

Bytes Technology Group

Bytes is a leading provider of world-class IT solutions. Our growing portfolio of services includes cloud, security, licensing, SAM, storage, virtualisation and managed services.

Anonomatic

Anonomatic

Anonomatic’s mission is to make data privacy secure, simple and cost effective. We are Data and Privacy Experts who are passionate about helping organizations solve PII compliance.

Superus Careers - Cyber Career Exchange

Superus Careers - Cyber Career Exchange

The Cyber Career Exchange is a specialized recruiting platform focused specifically on cybersecurity.

Barrier Networks

Barrier Networks

Barrier Networks are a Cyber Security Managed Service Provider that specialises in Network and Application security.

RAH Infotech

RAH Infotech

RAH Infotech is India’s leading value added distributor and solutions provider in the Network and Security domain. We are specialists in Enterprise and App Security and Application Delivery.

SOC-E

SOC-E

SOC-E is a leading technology provider for high-availability and deterministic networking, sub-microsecond synchronization and cybersecurity solutions for critical sectors.

Creative Network Innovations (CNI)

Creative Network Innovations (CNI)

Creative Network Innovations is a leader in providing advanced IT and cybersecurity solutions.